3 # Copyright (c) 2012 The Chromium Authors. All rights reserved.
4 # Use of this source code is governed by a BSD-style license that can be
5 # found in the LICENSE file.
7 # This script generates two chains of test certificates:
9 # 1. A (end-entity) -> B -> C -> D (self-signed root)
10 # 2. A (end-entity) -> B -> C2 (self-signed root)
12 # in which A, B, C, and D have distinct keypairs. C2 is a self-signed root
13 # certificate that uses the same keypair as C.
15 # We use these cert chains in
16 # SSLClientSocketTest.VerifyReturnChainProperlyOrdered to ensure that
17 # SSLInfo objects see the certificate chain as validated rather than as
18 # served by the server. The server serves chain 1. The client has C2, NOT D,
19 # installed as a trusted root. Therefore, the chain will validate as chain
20 # 2, even though the server served chain 1.
27 generate_key_command () {
40 echo Create the serial number files.
44 try echo $serial > out/$i-serial
45 serial=$(expr $serial + 1)
48 echo Generate the keys.
49 try openssl genrsa -out out/A.key 2048
50 try openssl genrsa -out out/B.key 2048
51 try openssl genrsa -out out/C.key 2048
52 try openssl genrsa -out out/D.key 2048
54 echo Generate the D CSR.
55 CA_COMMON_NAME="D Root CA" \
61 TYPE=D CERTIFICATE=D \
66 -config redundant-ca.cnf
69 CA_COMMON_NAME="D Root CA" \
79 echo Generate the C2 root CSR.
80 CA_COMMON_NAME="C CA" \
86 TYPE=C2 CERTIFICATE=C2 \
91 -config redundant-ca.cnf
94 CA_COMMON_NAME="C CA" \
100 -extensions ca_cert \
104 echo Generate the B and C intermediaries\' CSRs.
107 name="$i Intermediate CA"
108 CA_COMMON_NAME="$i CA" \
114 TYPE=$i CERTIFICATE=$i \
119 -config redundant-ca.cnf
122 echo D signs the C intermediate.
123 # Make sure the signer's DB file exists.
124 touch out/D-index.txt
125 CA_COMMON_NAME="D Root CA" \
131 TYPE=D CERTIFICATE=D \
134 -extensions ca_cert \
137 -config redundant-ca.cnf
139 echo C signs the B intermediate.
140 touch out/C-index.txt
141 CA_COMMON_NAME="C CA" \
147 TYPE=C CERTIFICATE=C \
150 -extensions ca_cert \
153 -config redundant-ca.cnf
155 echo Generate the A end-entity CSR.
163 touch out/B-index.txt
164 CA_COMMON_NAME="B CA" \
167 KEY_SIZE=$signer_key_size \
169 CERT_TYPE=intermediate \
170 TYPE=B CERTIFICATE=B \
173 -extensions user_cert \
176 -config redundant-ca.cnf
178 echo Create redundant-server-chain.pem
179 cat out/A.key out/A.pem out/B.pem out/C.pem out/D.pem \
180 > redundant-server-chain.pem
182 echo Create redundant-validated-chain.pem
183 cat out/A.key out/A.pem out/B.pem out/C2.pem > redundant-validated-chain.pem
185 echo Create redundant-validated-chain-root.pem
186 cp out/C2.pem redundant-validated-chain-root.pem